I have seen some messages about using Norton Power Eraser if malware got by Norton. What is Norton Power eraser and why would Norton power eraser find a risk if NIS didn't???
and also should I download and run it if i am not having any problems just to see if it detects anything?
Thanks Kevin
You can view a tutorial, which does a good job of explaining the recommended use of Norton Power Eraser, here:
http://www.symantec.com/norton/products/tutorials/tutorials.jsp?pvid=nis2011&tutid=power_eraser
Thanks SendOfJive, I had forgotten to include that link.
Kevin, the main lesson here is to not take the tool lightly. I have tested this pretty heavily and there have been recent and very good changes made to the tool (compared to the past) but it is not considered an every day scanning tool.
Best wishes.
Allen
Hi Toostrong;
Please heed the warnings, particularly if you think you might have a rootkit.
Quads' report:
http://community.norton.com/t5/Tech-Outpost/TDSSkiller-TDL4/m-p/243067/highlight/true#M1214
Let's remember too that NPE does not just remove everything it finds, it gives the user a chance to say yes or no to individual items before doing the "repair".
So while NPE is aggressive and might have false positives on occasion and in worst case might flag a windows system file for deletion, one has a chance to tell NPE "No don't remove this".
The moral: the list should be reviewed carefully and if the user is at all unsure what to do, then come ask for advice.
Allen
AllenM wrote:Let's remember too that NPE does not just remove everything it finds, it gives the user a chance to say yes or no to individual items before doing the "repair".
So while NPE is aggressive and might have false positives on occasion and in worst case might flag a windows system file for deletion, one has a chance to tell NPE "No don't remove this".
The moral: the list should be reviewed carefully and if the user is at all unsure what to do, then come ask for advice.
Allen
Just like Hijackthis and other tools, this can also cause people to tell the user that you can have NPE remove "this file" just like people have done in the past with Hijackthis etc. when files or entries shouldn't be removed.
Why did I do the test of TDL3 (+) and NPE, hhhhmmmmm
I heard circulating basically NPE could successfully remove TDL3 and bootkits.
Bootkits I knew was a definite NO, I tested that anyway and it is a No for them.
Then TDL3 (+) well we know the result of NPE finding the infected driver and removing it, especially when it's a critical file infected.
Symantec also had the same result of causing the PC to become useless.
Quads
Allen,
<< The moral: the list should be reviewed carefully and if the user is at all unsure what to do, then come ask for advice. >>
The problem there, which one knows from registry cleaners, is that if the unskilled user has confidence in Norton, as we hope he or she has, they are likely to take the attitude that the fact that it is listed makes it probably safe just to click on ALL !
People often don't know what they don't know ......
I say this without having run the current NPE although I think I ran the first ET/Beta and so I don't know how strong warnings are in NPE itself. Certainly here in the forums I believe we should stress even more strongly perhaps that you must know what the file is and what it does before you delete it.
In the same way, any message that is posted suggesting reinstalling Windows should include -- if you do not have backups of your data and media to reinstall your applications you will end up without them so you may wish to try a rescue operation first if only to see if you can save your data/
Rather as I say about Registry Cleaners -- if you do not know more than the utility does don't use it!
A few of us will recognize the Motto of the Cricket Umpire: "When in doubt say Not Out!"
Hi Hugh,
This is why when I recommend NPE I have very explicit instructions about this. I include my boiler plate below.
For ALL I am not recommending you run this tool, the procedure below is just for illustration about the disclaimer I would use if I were to recommend using NPE. Please do NOT run this! I have DISABLED the link below just in case. 
Please download the Norton Power Eraser (NPE) and save to a convenient location such as your desktop.
Run the NPE, accept the license agreement and then perform a scan.
Please note: do NOT change anything in the Settings tab unless explicitly requested to do so.
When the scan is completed you will get a results page listing anything that NPE found. Please be very careful before clicking on the Fix button. NPE uses pretty agressive routines to detect malware and it may falsely alert on innocent files. If in doubt, let us know what was found by NPE and ask for guidance as to whether to have it fixed before proceeding.
Otherwise, ensure that Create System Restore Point is checked and then click Fix.
Please let us know the results.
Allen
The problems I see are as follows:
1. Five out of 10 users will just click fix because they figure that things can't get worse.
2. 3 will come back and check to see if it is okay to click fix and one of the less experienced will tell them to
go ahead and click fix. The forum does not protect users from this.
Even if the assistant is firly knowledgeable, there are so many file extensions, so many names and
extensions used or hijacked by malware, that I don't believe there are more than one or two people on this
forum competent to say with any authority to go ahead and click fix. I know I am not. Sorry.
3. One of the others will decide that reformatting is the way to go and they will just reload the operating system
believing that that is a reformat.
4. One out of the ten will have everything work like clockwork, because the poster who recommended it knew
the program well enough to know exactly what it was good for, what malware the user had and what was
likely to show up on the NPE.
I'm not fan of "give it a shot and see if it works" with an agressive piece of software.
JMHO
Hi Delph,
I think anyone recommending the use of NPE had better do some research to make absolutely sure whether the file(s) in question are Windows files before recommending the OP click on the Fix button.
All I or anyone can do is be very explicit about how this (or any) tool should be used. It is up to the OP (as always) whether to follow this advice or try to act on their own.
IMHO, the fact that a tool may be aggressive is not a reason to say that it has no usefulness.
Just my two cents worth.
Best wishes.
Allen
P.S. I will be happy to add something to my procedure if you feel that I am not being clear enough.
The original intent of this post was to request an explanation of Norton Power Eraser. The second question was "should it be used just to see if it detects anything".
Both of these questions were answered with the appropriate warnings that Norton Power Eraser is a last-resort, aggressive tool that should only be used under extreme circumstances.
It was also stated clearly that this is not a routine maintenance tool.
I do not recall anyone saying "give it a shot and see if it works". Certainly no one who has tested the tool would consider suggesting that.
Well here we have a threat that was solved by the appropriate use of "Add/Remove" instead of the recommended NPE.
There needs to be some policies in place as the tool is readily available on the website and the information is confusing on the forum. Some posters, like AllenM provides appropriate warnings. Others do not.
Phil_D wrote:
I do not recall anyone saying "give it a shot and see if it works". Certainly no one who has tested the tool would consider suggesting that.
Not those exact words but I have seen the likes of just
"You can also try Norton Power Eraser tool mentioned in this page:" "Let us know the results" That's it.
Or Download Norton Power Eraser and see if it finds anything.
That's close to "give it a shot and see if it works"
Maybe I should have just let the rumour continue about NPE being able to fix successfully TDL3 (+) let someone tell a user to use NPE and fix atapi.sys to remove TDL.
That would be some good lesson and readers to see the outcome for themselves.
I am glad to see people on this for asking help with Malware has gone down, I see they are still appearing on specialist Malware Removal Boards like Bleeping with Norton detecting malware that can't be removed. But they are in the right place.
Quads
Hi Delph,
Bardiscover is an adware infection. Due to the minor nature of the infection, add/remove was able to get rid of it.
Do you doubt that NPE could have accomplished this as well?
For me personally, I have a TEST laptop and I will happily infect it with the same malware in question (if possible) to ensure that NPE does the right thing. I have done this with quite a number of infections already, just so you know.
I have a test laptop for this very purpose as well as to test BETA software in general. By the way, NPE is not a BETA, I just mentioned this to say that I use my laptop for a variety of purposes and that is to TEST.
Allen
As Phil said:
Both of these questions were answered with the appropriate warnings that Norton Power Eraser is a last-resort, aggressive tool that should only be used under extreme circumstances.
I am just concerned that this is not what I am seeing.
"Bardiscover is an adware infection. Due to the minor nature of the infection, add/remove was able to get rid of it.
Do you doubt that NPE could have accomplished this as well?"
NPE may or may not be able to remove the files involved, as well as listing other entries also. But the Safer option in this case was to uninstall via add/remove.
Oh and other programs can remove it also like Combofix and OTL but add \remove is safest way, without going straight to the deep end.
Like for instance a piece of Malware can be removed by Combofix and MBAM / SAS, then use MBAM or SAS.
And I have tried NPE with 4 different Bootkits ( Mebroot, Mebratix, alipop and Whistler) and it didn't detect or remove any of them.
Quads
I have seen some messages about using Norton Power Eraser if malware got by Norton. What is Norton Power eraser and why would Norton power eraser find a risk if NIS didn't???
and also should I download and run it if i am not having any problems just to see if it detects anything?
Thanks Kevin
Quads wrote:"Bardiscover is an adware infection. Due to the minor nature of the infection, add/remove was able to get rid of it.
Do you doubt that NPE could have accomplished this as well?"
And I have tried NPE with 4 different Bootkits ( Mebroot, Mebratix, alipop and Whistler) and it didn't detect or remove any of them.
Quads
Hi Quads,
The question is whether NPE could have done the same thing or not. We're splittiing hairs here.
As far as Mebroot goes, NO NPE was NOT able to detect it but NBRT DID detect AND remove it. You know as well as I do that rootkit detection is questionable at best when Windows is running..
I also infected my TEST laptop with Mebroot and NBRT detected and removed it successfully with NO side affects.
Allen
"You know as well as I do that rootkit detection is questionable at best when Windows is running."
Maybe for you,
But not for me and what I can do, tools I have, then be able to remove them also, that way I don't need to worry about separate test machines.
So "rootkit (bootkit) detection is questionable at best when Windows is running" Not on my PC I can detect them with Windows running, questionable at best is NOT good enough for me.
Quads
Quads wrote:"You know as well as I do that rootkit detection is questionable at best when Windows is running."
Maybe for you,
But not for me and what I can do, tools I have, then be able to remove them also, that way I don't need to worry about separate test machines.
So "rootkit (bootkit) detection is questionable at best when Windows is running" Not on my PC I can detect them with Windows running, questionable at best is NOT good enough for me.
Quads
HI Quads,
My last response on the issue. The only important thing is that the infection is found and properly eliminated and whether that is done via a tool run within Windows or through an ofline tool is immaterial.
A properly eliminated infection is just that, properly eliminated.
I am sure you won't disagree with that statement. In either case I am not going to continue debating this in this manner.
No one questions your expertise in malware removal Quads.
Allen